One-time password authentication for SSH.
Switch branches/tags
Nothing to show
Clone or download
Pull request Compare This branch is even with ziyan:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Add one-time password authentication to your SSH server.

user@localhost:~$ ssh server
Enter passphrase for key '/home/user/.ssh/id_rsa': 
One-time password: 123456
Incorrect code. Please try again.

One-time password: 653794

The following instructions are based on ubuntu, but they can be adapted for other Linux distributions.


Copy ssh-otp to /usr/local/bin:

sudo mkdir -p /usr/local/bin
sudo cp ssh-otp

Add the following line in your /etc/ssh/sshd_config:

ForceCommand /usr/local/bin/ssh-otp login

And restart sshd:

sudo restart ssh


Generate one-time password secret for current user:

ssh-otp setup

You will need to set up your authenticator using the QR code link and type in the displayed code on your authenticator to actually enable one-time password authentication on SSH conneciton.

You can find the configuration file at:



To disable otp for the current user:

ssh-otp reset

Non-interactive commands

To use commands like scp, you need to pass in the one-time password through a OTP environment variable.

In /etc/ssh/sshd_config, add OTP to the list of AcceptEnv:

AcceptEnv OTP

On the client machine, instruct ssh to send the OTP environment by adding the following in your ~/.ssh/config:

Host *
SendEnv OTP

Now set the OTP environment before sending the command over ssh:

OTP="123456" scp server:~/.ssh/authorized_key .